Best secure practices when using Thycotic secret server
Hello all,
I would like clarification on the secure use of connection strings within web.config files when using Thycotic Secret Server.
My Static Application Security Testing program has flagged the web.config files as being insecure due to an “Insecure Transport: Database” issue. The common fault identified here is that the attribute “Encrypt=” is not set in the connection string. E.g.
Bad setting:
<add name="LOG.ConnectionString" connectionString="Data Source={SECRET:AA.SERVER}:{SECRET:AA.PORT}/BB.WEBSITE.COM;User ID={SECRET:AA.USER};Password={SECRET:AA.PASSWORD};pooling=true;Max Pool Size=55" providerName="Oracle.DataAccess.Client"/>
Recommended setting is:
<add name="LOG.ConnectionString" connectionString="Data Source={SECRET:AA.SERVER}:{SECRET:AA.PORT}/BB.WEBSITE.COM;User ID={SECRET:AA.USER};Password={SECRET:AA.PASSWORD};Encrypt=yes;pooling=true;Max Pool Size=55" providerName="Oracle.DataAccess.Client"/>
Also the servers are configured with SSL/TLS settings.
Connection fails when “Encrypt=yes” is set in the connection string when Thycotic is in use.
I have a few questions around this.
- When using Thycotic, is it recommended to set the encrypt attribute or can it be ignored and still be considered secure?
- If the encrypt attribute should be set, do you have any ideas why it would be failing?
Any assistance would be greatly appreciated.